?
Solved

Steps to get rid of Spyware

Posted on 2005-03-19
34
Medium Priority
?
2,506 Views
Last Modified: 2013-12-04
I suspect I am spending a lot more time than necessary to remove Spyware.

If the PC is obviously infected with a lot of Spyware (slow especially to boot, lots of pop-ups, many many proecesses are running in Windows Task Manger), should I
(1) Remove all Spyware Programs I can identify with Add-Remove Programs. Delete the Program File directories associated with Spyware,  run NAV 2005 and finally run Spyware removal programs (CW shredder, Ad-aware and Spybot).
OR
(2) Just Run NAV 2005 and then run Spyware removal programs (CW shredder, Ad-aware and Spybot). Because the Spyware removal programs will totally remove the Spyware programs and delete the Program file Spyware folders and a lot more. So the added steps in (1) achieve absolutely nothing and are a total waste of time.
OR
(3)  Just run Spyware removal programs (CW shredder, Ad-aware and Spybot).

It is worth noting Step 3 takes a lot less time than (2) and (2) takes a lot less time than (1). Because to remove Spyware programs you have to put some of the names into Google to see if they are in fact Spyware and this step takens quite a bit of time. And installing (from CD) and runing NAV is very time consuming on a PC infected with Spyware for many reasons. The PC is very slow and takes forever upon reboot for the hour glass to go away and then the CPU keeps getting very busy whenever Spyware runs. So installing NAV is quite time consuming noting the NAV asks you to reboot after the install which takes 5 minutes or more on a PC that has Spyware. And you cannot run NAV Live Update in Safe mode with Networking (where the Spyware does not slow you down). And Live Update when run after an install also asks you to reboot and run Live Update again which takes more time. And then running NAV full disk scan takes a lot longer than the same operation in Ad-aware and Spybot.

So most of my time in removing Spyware is spend on the manual program and folder removal and installing, updating NAV and running NAV full-disk scan. The time to download and update and run CWshredder, Ad-Aware and Spybot is a lot less than the previous steps. SO WHAT DO YOU RECOMMEND (1), (2), OR (3) ABOVE?

Of course some of the "Spyware" symptoms could be caused by Viruses so maybe I have to run NAV no matter how long it takes.

(4) But if I installed, updated and ran NAV AFTER the Spyware removal programs, then the NAV part would go much faster.

So is (4) the procedure you recommend?



0
Comment
Question by:mgross333
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 10
  • 6
  • +3
34 Comments
 
LVL 12

Expert Comment

by:rossfingal
ID: 13585265
Hi!

As far as step (1) is concerned: using Add/Remove Programs is, in my opinion, essential.
Step (4) is probably the best way to go.

Good luck!

RF
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13585859
First, if running Xp or winME- turn off system restore. http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm After you've disabled system restore, the removal's can begin. I am partial to ad-aware and mcafee AV, and they are really all I use.  When a computer is slow to boot, and is ulta-infested with spy-ware the fastest removal method I find is the following.
1) Turn off system restore if xp or winME
2) run ad-aware to clean what it can out of the registry and hd.
3) Power off the pc, remove the HD and put the HD in another pc as the Secondary HD-
4) Use the new pc to scan the infested HD for root-kit's and spy-ware and viri
5) Place HD back in orig pc, and install firefox
6) explain to the user about using firefox, and why they should not run as admin for day-2day- activities
-rich
0
 
LVL 2

Expert Comment

by:Newjack64
ID: 13586745
Another option may be to use HijackThis.  I did a quick search for it and you can download it here:  http://www.majorgeeks.com/download3155.html
Once you get it and install it, boot up into safe mode and run HijackThis.  Once HijackThis finishes running, you can do either one of two things with the results:
a.)  post your log file here and we can look to see any suspicious log entries, or
b.) go here:  http://www.hijackthis.de/  This is a HijackThis analyzer.  You can just post your log file right there and it will automatically analyze it for you.  

Once you get your log file properly analyzed, you can then reboot back into safe mode, run HijackThis, and delete all of the suspicious log entries.  I just thought I'd add this recommendation since I didn't see it mentioned above.  Best of luck.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 8

Expert Comment

by:amirinamdar
ID: 13587158
Hi mgross333,
These steps to clean your computer may be useful, since they are in a stepwise manner:
http://insanity.bizhat.com/html/modules.php?name=drill

Unfortunately, whenever I've seen this magnitude of spyware/virus problems, there is only one option that works *best*. Format and re-install!

Good Luck!
0
 

Author Comment

by:mgross333
ID: 13593034
To expert richrumble

Although my question was general in nature, can you please reply to this particular situation which was behind my question.

As you put it, the PC in question is "slow to boot, and is ulta-infested with spy-ware" (although I am not 100% sure about the slow to boot as it has only 256MB RAM which is not great with XP AND Windows Task Manager shows available physical memory going down to 40 MB during startup but it goes back up to 125 MB after startup). 2.4 GHZ Pentium chip is there.

First confirm that you do not feel on such a PC that I should even try Add/Remove programs or to delete Spyware directories in C:/Program files. I note you did not list these steps in your list but also Expert  rossfingal says above "using Add/Remove Programs is, in my opinion, essential". Do you disagree with this statement and recommend that I go right to using the Spyware (after disabling System Restore). This is very important to me because I have spent 3 hours doing these two steps as Spyware infested PCs are very slow and I have to do google searches to find what is Spyware and what is not. I would very much like to skip these steps if I could.

2nd question: Don't both Ad-aware and Spybot do everything Add/Remove programs and Deleting spyware directories in Prorgram files would do plus a lot more. I mean don't they find every single thing about the Spyware (Registry, file and/or folder) and delete every one of them?

NOW MY MAIN QUESTION IS (but please please do not reply TILL you read ALL of this) is: Has it got to the point that most PCs with slow boot and lots of obvious spyware are going to have it in the root-kit, most likely. i.e Have the people who write the spyware figured out how good Ad-aware and Spybot are, so they just, as a matter of course, put it in the root-kit? So I should assume from the start that I am going to have to remove the disk and take it home etc etc? The case below is a striking example. (The 2nd such case I have encountered in 2 weeks).

This is what happened. Ad-aware in Safe Mode with networking showed 1500 critical objects (COs), and deleted them. I rebooted in Normal mode, and only then disabled system restore (after reading your reply). Ran CWShredder. It found one thing and fixed/deleted it. Then, without rebooting, I ran Ad-aware again in Normal mode. About 250 Critical Objects found.  I Deleted all them.  Rebooted again, Ad-aware showed 10 COs (all in Registry) for one piece of Spyware: Deal Helper.   I thought we are almost done.

Next I rebooted and RAN SPYBOT in normal mode. It found 350 bad objects, 250 of which were Cool Web Search objects. 100 of these were DLLs in Windows or Windows/System32.

Which brings me to my next question. WHAT USE IS RUNNING CWSHREDDER? How could Spybot find 250 CWS objects after CWShreddeer found one type of CWS object and removed it??? (Of course there was one reboot in between).

Next I remove the 350 bad objects with Spybot, reboot, and now Spybot finds 4 things. I repeate this and Spybot finds one thing. So I'm done.

I reboot again but this time I spend about 20 minutes going to websites like Yahoo and espn and Microsoft. Nothing unusual. First thing to note is that the approximately 3-4 minute time till all the Startup programs (including NAV) have finished remains. THE STARTUP TIME HAS NOT DECREASED AT ALL.

Then the killer. I note that every IE window comes up with URL "about blanK" even though I went into Internet Options and set the default home page to Yahoo and then Apply and OK. If I quickly bring up IE it goes to Yahoo but within 5 seconds all new IE windows are at "about blank". Plus even worse, I'm getting lots and lots of advertising pop-ups. Including one I know is Spyware. I have seen this on other PCs; it has a list of sites to select as if I had just done a search (but I haven't). Either the text in this Pop-up is blue or it is black text with blue underlining, in case this rings a bell for you.

SUMMARY: Ad-aware went from 1500 Crit Objects to 10. Spybot went from 350 bad Spyware objects to one. YET UPON REBOOT AND WAITING 20 MINUTES NOT ONE SPYWARE SYMPTOM HAS DISSAPPEARED. NOTHING HAD IMPROVED AT ALL !!! And the PC owner wants to know how I could spend 6 hours (literally) working on the PC and not one symptom is gone. (And I also used Add/Remove programs and deleted spyware directories in Prorgran files before all this).

So WHAT DO YOU RECOMMEND **IN GENERAL** if the PC is slow to boot and has lots of Spyware. Should I just disable System Restore, Run Ad-aware once in Normal mode, delete everything.  Reboot and test. If the Spyware symptoms are not noticeably improved, ask the PC owner if I can take the HD home (and follow steps in your list above) and SKIP RUNNING SPYBOT AND CWSHREDDER AND ADD/REMOVE PROGRAMS AT THE ORIGINAL SITE. i.e JUST the steps in this paragraph and that's it, not one other thing. Because I have twice in two weeks spent 6 hours and not achieved anything. (In the first case, there was nothing of value in the PC, so I did a scratch install to finally get rid of the Spyware. But that will not work as most PCs do have things of value).

Note: Both the PCs referred to had these things in common: Never ran NAV or Mcafree or any Virus Portection. Never downloaded Windows Updates (and both had 21 updates needed). Never ran any kind of Spyware removal or protection SW. You might say, that in this day and age, that's insane ! But trust me, may home PC owners know nothing about PC security. And those pop-ups from Microsoft about dowloading Windows updates: they can't be bothered ! There are lots of PCs out there like this and I have to fix them.


0
 

Author Comment

by:mgross333
ID: 13593454
To Expert Richrumble
A short CORRECTION to my long comment immediately above. In the 2nd paragraph from the bottom, 2nd sentence. Replace "just disable system restore" with "just run NAV (after updating it), then disable system restore" and the rest of the sentence remains unchanged. I prefer NAV to Mcafree but that is not the point. I obviously should run either NAV or McAfree AND Ad-aware before giving up and taking the HD home. It is also understood that Ad-aware will be updated before running it.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13593473
I do not disagree with the advise given in this thread, but do offer a word of caution- when you use add/remove programs, your relying on the program writer's to provide an accurate uninstall routine/program. I've found that they do not remove everything they install, espically registry entries, this holds true for many software installations, good or bad. Let's hope the uninstall program doesn't just move the install, or install some more stuff...
When I find a PC that is "uncureable" using just ad-aware, I remove the HD (after making sure system restore is off) and place it in another machine as a secondary. I assume it's root-kit'd while there aren't many reported to be out right now, I think there are more than they know... Safemode is ok at helping, but I find if it's stuborn enough to keep mcafee or ad-aware, or even taskmanager from being able to kill the process, it's going to become a secondary hd real fast. It's not worth the time and effort in my opinion, I can't try a few things, and wait to see if they work... or wonder if it's got a root-kit. I skip over those semantics and possibilities and do what may be the "last resort" to some- do that first.

To your second question, different anti-spy-ware software makers have different definitions, and different opinions as to what is and isn't spy-ware. Some companies can be bought, offer them some money, and their application no longer sees your activeX control as a theat. I use ad-aware, mcafee AV 8.0i, M$'s beta spy-ware (it doesn't like to scan a secondary disk) and spy-bot. The only problem with doing the drive as a scondary is that you don't clean the registry. But if you remove the programs the registry references, then your a little better off. I always run ad-aware first before I shut the machine down to try to clean the registry as best I can. Msconfig is another useful tool to use, you can copy it to win2k and use it there, as it's native to xp pro.
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13593645
I bring a pc with me if a second isn't going to be available. I bring a laptop, but use a USB "cage" to mount the IDE drive in- make things go a lot faster. I bought a cheap external usb drive from bestbuy and just leave the cover off of it to make swapping go faster.
-rich
0
 

Author Comment

by:mgross333
ID: 13593879
To expert richrumbe

Thanks for all your help ! And your USB cage on laptop for mounting the secondary HD is something I am going to consider.

Regarding
> I use ad-aware, MS beta-spyware(it doesn't like to scan a secondary disk) and spy-bot.

My goal is to run TWO Spyware removers on the secondary HD. Ad-aware and what??? I can't find anything in the Spybot Menu to direct it to a secondary disk. CAN YOU HELP ME HERE? Are you saying MS beta spyware will NOT scan a secondary disk? If not, then what spyware remover other than Ad-aware will scan a secondary disk? Another expert has mentioned the Yahoo toolbar spyware remover and Ewido Security but did not say they would scan a secondary disk. NAV will scan a secondary disk but I don't think it is especially good with spyware.

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13594709
With spy-bot you have to add drives in the "downloads directory setting" http://www.safer-networking.org/en/faq/26.html (even though the faq says network drives, it allows you to specify any other drive) Also, I just checked again, and the NEW version (at least the newer version0 of the M$ spy-ware program can do multiple drives. Click on Scan Options, Check Full System scan, and you can click the Folder icon beside FullSystem scan for the drives you'd like to scan. I had to install the new version of the M$ spy-ware remover to find this, this version is about 1meg bigger than the last- strange the updates didn't add the functionality... now you can use 3 ;)
-rich
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 13595052
Don't ever use Add/remove program to remove a spyware-program.

Before I purchased www. pestpatrol.com I tried to write my own program removing Hotbar, and I found out, that using Add/remove program, really assured that Hotbar was installed with the latest version avaiable. So never use that option, it's a waste of time.

Regarding how to protect your computer, you will get the spyware again soon, unless you protects your computer, and it's not only done with a anti-SPYWARE program.
In my opinion, there are at least seven issues you need to do.
I've put them all on one page so they don't need to be listed here:
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html 

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
 

Author Comment

by:mgross333
ID: 13595500
To expert Richrumble

Thanks for the advice on how to get Spybot to scan a secondary drive.

I'm trying to finish up here but am not quite there. The following two questions are closely related. In the Spybot Link in your last post, it says

"Most threats are not only files, but also linked by registry entries - removing just the files would cause the 'cleaned' Windows to produce a lot of errors. But while those messages may be harmless (and remote registry cleaning could at least be added for NT/2000/XP), there's an even worse case - some threats need to be removed by using API calls. Removing LSP hijackers by just deleting their file will disable the network access of the cleaned machine"

And you have also told me that spyware registry entries on a secondary drive will not be deleted. (Not great by the way. Spybot says in the same link that they are working on solving this deficiency on networked drives which would also work on secondary drives.)

(1) Am I going to get a lot of "harmeless" error messages when I reboot on the original PC per the Spybot quote above ? Or worse is the internet not going to work if I have LSP hijackers again per the Spybot quote above? Of course the situation is not quite what the quote addresses (a networked drive vs putting the secondary drive back into the original PC).
Have you had observed either of these problems in actual experience?

(2) Should I rerun both Ad-aware and Spybot after putting the drive back into the original PC to address the registry entries? Or did the Ad-aware and Spybot runs before I took the drive to my home PC address this.  I am unclear about this. If Ad-aware removes registry entries and I reboot on the original PC (BEFORE taking the HD to my home PC) won't the spyware in the root-kit recreate the registry entries? And then running Ad-aware on this drive as a secondary drive will NOT remove the spyware registry entires. That is what I am worried about in asking this question.

Note: My plan is to run NAV 2005 , Ad-aware and Spybot on the secondary HD in that order and then put it back in the original PC.

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13595847
#2 is the answer...
This is why I run ad-aware and the others first, they will get the registry entries, and what ever else they can on the HD. Then once those are done, the HD is placed in the usb sled (cage) and scanned by mcafee, ad-aware, spy-bot and now M$ beta anti-spyware program. When the hd is placed back in, run the scan's again for good measure, but they should not detect anything they did before, espically if system restore is off. Another usefule tool still is regclean.exe from M$  http://www.pcworld.com/downloads/file_description/0,fid,4666,00.asp they've dropped support for it.
But use caution... http://support.microsoft.com/default.aspx?scid=kb;en-us;299958 Regclean looks for OLE inconsistancies, looking for files that the registry says should be there, and if they are not, it adds that registry key to be deleted (and backed up first)
-rich
0
 

Author Comment

by:mgross333
ID: 13598505
To expert richrumble

I mounted the Spyware HD as the secondary. Results of spyware scans are below.

First SHOULD I ALSO run Ewido Security Suite recommended by Davids99 in this forum plus a few people in other forums (like maybe 10 in all). This is not a lot and I am afraid to run something not from a recognized company as I have heard that in rare cases Spyware removers damage the registry and the disk becomes unuseable. And as you had me delete the restore points, that would be very bad.

Results of scans: I had all Spyware removers scan the Secondary drive only but some insisted on scanning my PC's memory and registry anyway but not my files.

NAV 2005 found and deleted 109 Spyware objects on the secondary (CWS, Deal Helper, Target Saver, others). Ad-aware found and deleted 10 Crit Objects on the secondary including 3 CWS objects. Spybot found nothing at all. (There is no proof Spybot scanned the secondary as it does not display the drives or files it is scanning; I followed your directions but the Spybot Help files on this are not completely clear. Spybot also hung after the scan ended. I scanned again. It hung again after the scan ended). Finally I ran the M$ beta Spyware remover. It found one Spyware object (Media Ticket CDT) on the secondary and removed it.

Davids99 (at www.experts-exchange.com/Security/Win_Security/Q_21339185.html#13534368, 2nd post down after thread start) says Ewido Secuirty removed some things the others could not and that is the only reason I am asking about this.

Also. something else I should mention. The Spyware disk contains a 2nd partition called HP_Recovery. It has about 3.5 GB used out of 4.5 GB total. This used space did not decrease at all or very much when I disabled System Restore. Is it possible there are restore points here but the XP System restore does not know about them and did not delete them? Note: Most of the space on this partition is in the i386 folder (3/4 GB) and Preload (2 3/4 GB) folders. The Recovery folders and the System Volume Information folders are empty.  

Of course most of what's on the Spyware disk is in the first partition which was C: in the original PC.  Also all the Spyware removal scans were run on both partitions on the secondary.

Regards,
  Mike

0
 

Author Comment

by:mgross333
ID: 13600321
To expert richrumble

Why don't you recommend unplugging the original HD and booting from the secondary after running Spyware, and then rerunning spyware to get rid of registry entries BEFORE TAKING THE HD BACK TO THE ORIGINAL PC. In order TO SEE IF THE PROBLEMS ARE GONE. Maybe because you really use the USB cage on your laptop and never take the drive somewhere else.

The point is that I can't be 100% certain that this is going to work and if it didn't would want to get a HiJack This log and continue at my home. WHEN I RETURN IT TO THE PC OWNER HE EXPECTS IT (after rerunning NAV and Spyware) TO BE FIXED AND if I tell him I now need to get a Hijack This log, he is not going to be a happy camper. The problem with booting from the secondary at my home is the Spyware, if still there, would get into my PCs memory. And upon removing the secondary and returning my PC to normal, I do not know if the Spyware would still be in my memory. The key question here is whether a reboot clears every single memory location in my 1 GB of memory. DO YOU KNOW FOR SURE IF IT DOES OR NOT. I CANNOT TAKE CHANCES ABOUT THIS. I believe a reboot frees up all allocated memory but freeing up and zeroing out are not the same thing and the latter is what I need.

Regards,
   Mike
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13600678
Unless your RAM is NV-Ram (non-volital) then each time the PC is shutdown, rebooted, or turned off- the ram is cleared by the bios and the OS, NV-Ram is found on devices like SCSI raid controllers, and in routers and switches... not pc's ram.

The problem with spy-ware is you never know if you have removed it all. You've already seen how different products find different things, or catagorize different files as threats. We are relying on these companies to find and figure out how to remove all the possible spy-ware out there- a daunting task to say the least. With viri the anti-virus vendors have an easier time of finding viri, but with spy-ware being confined to your pc and not self-relicating to others, it's tougher.

The steps I take have served me well enough, I'm sure more can be done. I am all for backing up user data, and remaking the PC- and in a corporate environment I do this quite often. For friends and family I've not had to remake a pc yet with these steps, but it's gettting harder and harder.

With regard to cleaning the registry on the HD mounted as a secondary-
You can't clean the registry with todays spy-ware removal tools in this fashion, as they look for the registry to be loaded... the registry is 3 files on a windows pc, and the way the scanners work is they make API calls to registry commands and locations. The API doesn't work if that registry is not loaded. At boot time the OS loads the registry of the primary device, the second drive is pretty much ignored in the sense the bios and OS don't need to look at it for things like this. They know it's there, but it's secondary and even if it's a bootable drive the MBR of the secondary drive is ignored.

When I've done "all I can" as far as cleaning, I then move to future prevention. This involves training the user to be more secure- and is the hardest part for them to swollow. If I can convince them to not run as a local administrator, then I place their account in the users group. I show them how to us RunAs if they need to install or make changes, I have a whole list of short-cuts that use runas scripts to run applications as a higher privledged user on their machine. I install FireFox and show them how to use it, tabbed browsing etc...

I truly find the restore point useless, and PERSONALLY have never fixed a machine using them. By default system restore will (when turned on) allocate space on all partitions it sees on the primary drive, and if the PC was built with a secondary drive in it, that drive too will have space allocated for system restore. If a second drive is added later, it will not allocate any space for system restore.
-rich
0
 

Author Comment

by:mgross333
ID: 13601934
To expert richrumle    I HOPE YOU ARE STILL OUT THERE

IMPORTANT, IMPORTANT   TWO THINGS in order of importance

(1) In original infected PC, I have noticed something that I think is spyware, a file called froqa.exe that is in process list twice and when terminated reappears in process list. There are others too, I happened to write this one down. I put it into google/yahoo searches and it has no matches which is quite suspicous. Now after running spyware/virus scans on secondary, I did a Start/Search for froqa.exe on the secondary and you know what, it is STILL THERE as FROQA.EXE-308A2FDF.pf in a directory called Windows/Prefetch. And this directory IS LOADED WITH STUFF,much of which I do not recognize. Yet my own PC's Windows/Prefetch has a lot fewer entries and mostly things I recognize. So I did a google search on Windows/prefetch and found  www.experts-exchange.com/Operating_Systems/WinXP/Q_20711778.html  in this forum.

I am very suspicisous that this directory (which it appears Spyware removal tools do not check it or have left alone for some reason) is the SOURCE OF ALL OR PART OF THE PROBLEM.

My first question is CAN I SAFELY DELETE THE ENTIRE CONTENTS OF THIS FOLDER ON THE SECONDARY (but leave the empty folder there).

My second question is, per the first post of Expert CrazyOne in the above linked thread from this forum, will the boot slowdown from deleting these items ONLY OCCUR THE FIRST REBOOT AFTER DELETION AND NO SLOWDOWN AT ALL FROM THE SECOND BOOT ON? The post is not 100% clear on this. Remember one of the key symptoms the PC owner wants fixed is the 4 minute boot time till all startup programs run. So I do not want to "shoot myself in the foot" and "throw the baby out with the bathwater" by doing this. Do you know the answer with certainty on this?

Note: The following link  www.jsiinc.com/SUBL/tip5800/rh5826.htm  has more details on Windows/prefetch and may help you in answering the above questions. Note the 4th paragraph down that begins "when the system boots..." and in that paragraph note the words "..and finally opens each file referenced". That sounds to me like a good way to start spyware up at boot from this Prefetch directory. For example the mysterious "froqa.exe" or other things in the secondary's Prefetch directory.

(2) Thanks for your reply to my last post above. Unfortunately, it appears you DID NOT NOTICE MY POST ABOVE THAT ONE (results of virus/spyware scans on secondary and my question about the Ewido Security suite). PLEASE REPLY ON THAT (i.e any comments on the scan results but more importantly, can I safely run Ewido Security Suite. Or are three different Spyware scans (four if we count NAV 2005 which did most of the Spyware deletions) enough already, anyway. Note: I am not quite sure per that post that Spybot ran on the secondary.

Regards and I hope you are still there,
   Mike
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13602905
Hi!

While we wait for a reply from richrumble -
you might want to have a look at this:
http://www.tweakxp.com/article139477.aspx

RF
0
 

Author Comment

by:mgross333
ID: 13604440
To expert richrumble (or rossfingal)

I rebooted the secondary as the primary on my PC and it did not boot !!! Is this to be expected? And it in no way implies that it will not boot when returned to the orginal PC? Note: Afterwards I remounted it as secondary and all the files are still there from the root up.

As an aside, other experts in this forum told me it is absolutely OK to delete all the files in the Prefetch directory. See  www.experts-exchange.com/Operating_Systems/WinXP/Q_21360213.html  You do not need to reply to my posts to you on this.

Details

I deleted all the files in the Windows/Prefetch directory because it appeared some spyware was in there. Please note that this directory, in addition to files with extension ".pf" also had a dll,a regclose.old file, several dat files and log files. I backed up all the prefetch files before the delete but the copy said some info associated with every file not ending with in ".pf" might be lost in the copy. I also deleted a single file in D:/temp. It was something like 2_4_8.slv and had 0 size. Due to an error this one file backup is lost. Note: D: is the secondary HD.

 I then unhooked my primary HD and rebooted, went into Startup Bios and had it boot from the secondary (which the Bios was already set to do). UNFORTUNATELY IT DID NOT BOOT. A MS screen came up saying normal boot failed. I tried Safe mode. It also failed. Normal boot from this MS screen failed again. "Use previous config" from this MS screen also failed; in this regard there are NO system restore points on this disk because, per Security experts in this forum, I deleted all of them.

The exact symptoms are, if normal boot, The Windows XP Home screen briefly appears but no green/blue small boxes move left to right in the box below. If in Safe mode, the long list of Windows/System32 files scrolls down the screen as is normal but it never boots. Following both these events the screen turns black and we are back rebooting again into the MS screen.

Now, here is my question.  Note: My own PC was also running Windows XP in case it matters.

DO YOU EXPECT THE HD FROM THE OTHER PC TO ***NOT*** BOOT because
(a) The motherboard is different
(b) The drivers for my graphics board, my wireless mouse and every other thing on my PC are also not there. With regard to this, however, isn't Windows XP plug and play so if the drivers are missing it tries to find them. But perhaps if the video driver is wrong, it giveshat one case???
(c) Some other reason

And, conversely, do you see it not booting on my PC in any way implying it will also not boot when returned to the original PC WHICH IS OF COURSE THE REAL QUESTION HERE. I only rebooted it on my PC to see if the Spyware scans had fixed the Spyware problems.

Or would you expect it to boot on my PC meaning the Spyware tools damaged the HD or the prefetch files are needed or the temp file is needed. Note: All these Spyware tools (except MS beta Spyware removal tool had been run before at least twice when the HD was in the original PC. And it booted after those scans.

Also the original PC is a HP Pavillion PC about 1 1/2 years old. Of course the memory, chip speed, are different (lower) than on my own brand new PC.

I AM QUITE CONCERNED ABOUT THIS. THE PC OWNER WILL BE QUITE UPSET IF THE HD DOES NOT BOOT ON HIS PC ! I took the HD home to my PC to fix the Spyware problems, not return it worse than before.

If you have any idea how to get it to boot on my PC without a lot of changes that would also be good but is not as essential as answers to the above.

Regards,
  Mike
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13604721
Don't do that!... Windows will not work as the hardware will be different- this will not work... Mount the HD as a secondary, use the tools, then put it back in the orig pc. You cannot expect it to work in a totally different pc.
-rich
0
 

Author Comment

by:mgross333
ID: 13605018
To richrumble

I am RELIEVED to receive your answer. However I assumed when you replied above at 5:36 AM PST to my post at 4:50 AM that you said it was OK to do exactly this. Please read my post of 4:50 AM again. Is it not clear I was asking you if I could reboot my PC from the secondary to test if the spyware scans had fixed the problem. If my 4:50 AM post was not clear. I'm sorry.

What remains is
(1) Could my reboot form the secondary have written to the secondary HD in some bad way and now it will not boot on the original PC? Note that it never got beyond the Windows XP home screen for about 1/2 second.

(2) Also, could you please comment on the files in the Windows/prefetch folder possibly causing spyware problems. For this go to my post above of 7:18 AM and read the first LONG paragraph and the following short paragraph and ignore everything else in that post.

Finally, reply to my post of 10:23 PM 3/21/05 on running Ewido Secuirty Suite on the original situation or when the spyware HD is a secondary. In addition to all the spyware removal tools you have recommended. Details are in that post  and also a brief report of what happened when I ran spyware removal on the secondary.

I WILL LET YOU KNOW THE RESULTS LATER TODAY WHEN THE HD IS REMOUNTED IN THE ORIGINAL PC. However a postive result could be due to running Spyware on the HD as secondary OR to deleting all the files in the Windows/Prefetch folder.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13605313
What you could do is zip the prefetch directory up and then delete it, if there are problems then put it back
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xpehelp/html/xetskDisablingPrefetch.asp

I've not used Ewido, but as you've seen each Spy-ware remover finds different things, proabbly won't hurt to use it

When you placed the secondary HD in your pc, windows plug-n-play would try to detect the new hardware, this could mess the settings up... but placing it back in the orig pc should fix it. Even if the restore points were intact they wouldn't help if you can't boot it back up- but you can use "last known good configuration"

Programs that you suspect are bad or spyware, just zip them up and delte the original, but I'd only do this when your 1) booted up on the orig pc or 2) if your positive these aren't system files. -

with regard to >However I assumed when you replied above at 5:36 AM PST to my post at 4:50 AM that you said it was OK to do exactly this.<
What I think got misunderstood, or wasn't clear enough was the registry not being loaded on the secondary HD?  The first steps take care of the registry...
1) disable restore
2) run scan's with the tools you have at your disposal (this will scan the registry files)
3) turn off pc, unmount HD
4) place hd in a pc as a secondary hd or in a USB sled as a second hd
5) scan the secondary Hd with the tools again
6) place the 2nd ary hd back in the pc
7) train the user on using admin rights and using runas, give them firefox and show them how to use it.
-rich

0
 

Author Comment

by:mgross333
ID: 13621180
To Expert richrumble (and rossfingal)

After running all the NAV 2005 and spyware removal on the secondary HD (details are below) and deleting the Windows/prefetch folder and rebooting from HD on original PC, and then running NAV/Spyware removal again (to get rid of registry entries, etc,), the result is TOTAL AND COMPLETE FAILURE. Not a single Spyware Symptom is gone; there is no improvement at all and the PC owner is running out of patience with me !! (Note: I have posted a link below to the standard analysis of the HiJack This log made after rebooting from scanned HD on original PC, BUT NOTE THE ISSUES WITH HOW THE SYSTEM WAS SET UP BEFORE I CREATED THE LOG). Expert Richrumble,  can you please look at the analysis (lots of "Nasty" entries, especially in the Registry) AND TELL ME HOW TO PROCEED TO REMOVE WHAT IS OBVIOUSLY STILL THERE.
Also I told the PC owner, that if HiJack this log does not help, we will back up hs personal files, delete all partitions, do scratch XP install, reinstall his many many apps from CD (if he has not lost the CDs), reset up his email accounts, reload his personal files, find missing drivers on the internet (all this will take several hours). He told me to try to use the Hi Jack This log first.

Spyware Symptoms:
(1) Slow startup. Takes 3-4 minutes for PC to display the NAV symbol in lower right taskbar (yellow oval with stethoscope). Hourglass icon comes up, disappears, comes up again during this period. Trying to run anything during this period is next-to-impossible. It won't start or if it starts, it won't run. Even Windows Task Manager (WTM) is slow to come up (but can be used during this period). I concede the RAM is only 256 MB and should be at least 512 MB for Windows XP. But I have run other XP PCs with only 256 MB that also had Spyware and they came up much faster than this. I have monitored Avail. Phys. Memory with WTM during this startup period and it drifts down to 40 MB which is bad!!! But this is probably due to Spyware that is running and taking up memory. (Note: I will add 256 MB memory for a total of 512 MB next Tuesday when I NEXT visit this PC).

(2) All IE browser windows come up with "about: blank" as URL. I use Internet options from Control Panel (or from IE tools) and change this to yahoo.com. This works if I then very quickly bring up ONE IE window. After that I continue getting "about:blank" for all further IE windows.  
Note: Ad-Aware KB specifically says this is a symptom of Cool Web Search although other Spyware might do the same thing.

(3) No-popups until I start using IE. If I bring up a couple of IE browser windows and go to most anything (yahoo in one, miscrosoft.com in the other) and wait a few minutes, all kinds of pop-ups start appearing. Obvious Spyware type pop-ups. Gets worse as time goes on.

One particular window I have seen on other Spyware infected PCs comes up and I want to describe it here. It looks like the result of a Search (but no search was done). Search results are in selectable blue text and the description below is in black text, a few lines only per "Search" result. If it is killed, it keeps appearing a few minutes later.

I also want to note a couple of constants in running the Spyware removal tools. Cool Web Search and Deal Helper keep coming up. I run a Spyware removal, it says it deleted Cool Web Search (but sometimes has trouble with Deal Helper) and then they show up again in another SpyRemoval scan report. I have run CW Shredder numerous times but not on the HD as secondary as it does not seem to have the ability to scan a secondary AND you did not recommend using it in your list of To-Dos.

BEFORE I provide the summary report on scan results on secondary and the HiJack this analysis link, I want to say the following
(1) The many many Ad-Aware configuration settings recommended at http://www.greyknight17.com/spyware.htm by Expert greyknight17 are in fact the defaults EXCEPT for the following possibly important one: Scan Within Archives. I DID NOT HAVE THIS TURNED ON. And my Ad-aware log-files do not have all the environment stuff included, but the latter is probably not important. COULD NOT HAVING SCANNED THE ARCHIVES HAVE MADE A DIFFERENCE HERE?

(2) I have discovered that Ad-aware SE Personal has a tool to remove a VX2 variant that CAN NOT be removed without this tool/plug-in. I DID NOT USE THIS TOOL. And VX2 has a TAC rating of 10. I have seen VX2 in scans on the problem PC but the point is that without this tool some VX2 variants do not even appear in the scans and hence would not be removed !

(3) I have just purchased Ad-aware SE ***PLUS*** on CD. It probably has other useful tools that might help here.

(3) Spy-bot has a lot of Useful tools, NONE OF WHICH HAVE I USED. Catch this one. It locks the default IE browser home page so no other user of the PC can change it. If I used Internet options to change default from about:blank to yahoo.com and immediately clicked this Spybot tool option and Apply, it might PERMANENTLY solve Spyware Symptom (2) above. Even after rebooting the PC if the tool really works. DO YOU THINK THIS IS WORTH TRYING?

Also, I can lock the IE Hosts files from changes by other users. IS THIS WORTH TRYING?

Other Spybot tools allow suspicious BHO stuff and Active X stuff to be deleted (it lists all items in these two categories, with a green OK, red bad symbol , or "does not know". Then I can delete ones that look suspicous. DO YOU THINK THIS MIGHT BE USEFUL?

Now here is what happened when I ran NAV/Spyware tools on secondary. ALL THIS WAS ALREADY POSTED ABOVE my post of 3/21/05 10:23 PM. I recopy them here:

Results of scans: I had all Spyware removers scan the Secondary drive only but some insisted on scanning my PC's memory and registry anyway but not my files.

NAV 2005 found and deleted 109 Spyware objects (and no viruses) on the secondary (CWS, Deal Helper, Target Saver, others). Ad-aware found and deleted 10 Crit Objects on the secondary including 3 CWS objects. Spybot found nothing at all. (There is no proof Spybot scanned the secondary as it does not display the drives or files it is scanning; I followed your directions but the Spybot Help files on this are not completely clear. Spybot also hung after the scan ended. I scanned again. It hung again after the scan ended). Finally I ran the M$ beta Spyware remover. It found one Spyware object (Media Ticket CDT) on the secondary and removed it.

NOW I SKIPPED SOMETHING ABOVE. You will note almost all the work on the secondary was done by NAV 2005. But I have oversimplified what really happened. It said it deleted 69 of the 109 but did NOT delete 40 more because the deletes failed or the risk was not high. But I then found conflicting evididence. I took two specific full file pathnames and, you know what, they were no longer there !! Gone !!Then I went to the NAV log and it told a different story. It said these 40 items were "Backupped after delete". I think from all this that all 109 were deleted. But what if they were not. Then Ad-aware, Spybot (if it worked ??) and Microsoft's beta tool would have caught them. So it should not matter one way or the other???

OK, OK, HERE IS THE LONG AWAITED LINK TO THE HI JACK THIS FILE ANALYIS WITH LOTS OF NASTIES STILL THERE.
www.hijackthis.de/logfiles/c563ac1ec3d6e1075143682e1b8e4777.html
Remember this will only remain there for three days there so you should save it in some way to your disk.

However, I screwed up in one way before creating this.  The same link from Expert greyknight17 referred to above  http://www.greyknight17.com/spyware.htm  also tells me (if I had read it) to check all boxes in the startup list (run msconfig) before making the HiJack This log. In fact, I HAD JUST BEFORE RUNNING IT (while running spyware scans on registry) unchecked a number of things I suspected of being Spyware !!!!! And then Applied and OK and rebooted !!! BUT I CONTEND IT DOES NOT MATTER AT ALL. Because after rebooting, ALL THE SPYWARE SYMPTOMS (1)-(3) ABOVE WERE STILL THERE. So unchecking these items did not get rid of the symptoms. I consider this argument AIR-TIGHT.   DO YOU DISAGREE?   Now maybe there are other things that still need to be addressed and are not in the HiJack This log but they are not causing the persistent symptoms.

EXPERT RICHRUMBLE (OR ROSSFINGAL) PLEASE ADVICE ME HOW TO PROCEED. The various scans on the secondary to get rid of possible Spyware in the root-kit found lots of things (which may or may not have been in the rootkit) but it did not fix the problems !

Also to Expert Richrumble, can you ALSO PLEASE REPLY on about what % of Spyware problems that remain after scans on the original PC are fixed by scanning the HD as a secondary and about what % are not fixed this way and still remain??? From your experience. Because my impression from your posts is this technique almost always worked. And I am a bit disapointed with the results here.

By the way, System Restore was disabled before runnning any Spyware scans on the HD in the original PC and (I assume, I did not check, as rebooting should not change this setting) was still turned off when I put the HD back in the original PC and scanned again. However, it was NOT turned off on my own PC with the problem HD as secondary. But that should not matter as resulting System restore files are stored on my PCs HD, not on the secondary.










0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13621478
This situation can happen, and sometimes all you can do is rebuild. If this happens I typically rebuild the PC, I've only done this once for a friend who was very infested. In the corporate environment I do this often as it's not worth the time to run all the programs and try to fix it this way. We back up the users data and then reimage the pc the whole process takes 30 minutes start to finish. The problem is beyond my spy-ware removal experience. But what I would do, is monitor what process's are running when IE opens, locate the exe that is listed, look it up here to see if it's a good process (if there is no entry it's a good bet it's bad, its definatly not a system file) http://www.processlibrary.com/notfound/index.php
If your not able to kill the process in task manager, you'll still want to find the exe on the HD, write it down, then delete the files off-line possibly in safe mode, or as a secondary drive.
I hope that helps, I'm running out of ideas.
-rich
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13622094
Hi!

The version of "About:blank" (res-random dll)  you have is dealt with here:
http://www.pchell.com/support/onlythebest.shtml

Before you attempt removal read through the instructions and try to acquire
any tools and replacement files before you start.

This is the "offending" Service:
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdkog.exe (file missing)

You also have other assorted "nasties" on your machine -
however, it's usually considered a good idea to deal with this first.
For instance: this entry shows the presence of a Trojan -
C:\WINDOWS\sysvu.exe

I would go through this removal procedure and then post a new HJT log to the analysis site -
then post a link to it here.

Any questions/problems let us know!  :)

Good luck!

RF
0
 

Author Comment

by:mgross333
ID: 13623098
To Expert rossfingal

Thanks for your advice. But, after reviewing the very VERY lengthy procedure in the link, and noting I have never used Hi Jack this to *FIX** something and don't even understand a lot of the terminology in this link and also that another utitlity About Buster is needed, I have decided to proceed as follows:

Try the "quick and dirty" idea of Richrumble in the post immediately above yours which seems to aim at the same thing. And see if it works. Also to try the Spybot tool that claims to "lock" the default URL and the Spybot BHO tool also. If all this fails, make sure the PC owner has all the CDs for his apps, back up his user files, email, etc., do a scratch install, and rebuild everything. He did not say this was out of the question when I mentioned it.

The reason for my decision is only 50% the complexity of the link's advice. It is also, that if this were to be done, it should have been done a lot earlier, probably before taking the HD to my home as a secondary. After using your link correctly there are still, as you note, other nasties to address and at the end, we can still not be sure that success will be achieved.  And  I might still have to do a scratch install. Also I have given this guy a flat rate and, at my normal hourly rate, I am already way over the amount I have quoted him. I want to cut my losses, solve the guys problem, and move on. And the next time I see the "about:blanK" URL and it is not fixed by NAV and several Spyware removers including the latest CW shredder at that time on the original PC, THEN FOLLOW YOUR GOOD ADVICE.  But I am too far down the line here to start another lengthy approach that does not guarantee success.

THAT IS NOT QUITE ALL. I am also going to email a couple of the other security experts in this forum and invite them to provide  other "quick and dirty" fixes after scanning thru the current Hi Jack This log analysis. Things like richrumble suggests, not complete, not elegant, but maybe perhaps with luck might work. IF YOU CAN THINK OF SOMETHING ALONG THIS VEIN, PLEASE REPLY.

I may also enlist the Process-Watch tool in Ad-aware Pro (which I will have to purchase). It provides a process list like Task Manager with a 2nd valuable element. It shows the modules in memory related to that process and provides the ability to "unload" them. Using this when IE starts up (or when the many pop-ups appear) might make it easier to quickly find what I want to get rid of, "unload" it or delete it in Safe mode. Or it could come in handy in some other contexts here. I don't think it points to registry entries though but I am not sure.

Thanks again for your knowledgeable reply and for your replies in my previous security Question.

0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13623378
Hi!

I understand!
Have gotten involved with computer repairs; where I went WAY over the time-frame!  :(
Check for these running as a process or a Service - disable them (including the one I mentioned above):
DR_S.exe
?ttrib.exe
sysvu.exe
iekl.exe
mfcdh32.exe
sdkqf32.exe
ALCXMNTR.EXE
wtta.exe

These are bad one's:
mfcrw32.dll
ghvxn.dll

There are usually a hidden DLL(s) assc. with this (if you reboot; the names change) -
you might want to download and run DLLCompare - often it will show them:
http://www.gatesofdelirium.com/ee/tools/

Hope this helps!  :)

Good luck!

RF
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13623646
Also, remember to delete any folders assc. with this junk.
Clean out all the "Temp" files, including "Temporary Internet File" (if present)

For future reference - I've found these tools (free) useful for finding "hidden" things:
DLLCompare - as mentioned above
Advanced Process Manager - http://www.diamondcs.com.au/index.php?page=apm
Dllusage - http://p-nand-q.com/download/dllusage/overview.html
GetService - http://www.bleepingcomputer.com/files/spyware/getservice.zip
Pocket Killbox - http://download.broadbandmedic.com/    (good to remove "stubborn" files)
PV - process viewer - http://www.gatesofdelirium.com/ee/tools/
Rootkit Revealer -   http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
Silent Runners - http://www.aaronoff.com/silent_runners/
Startdreck -  http://www.niksoft.at/_data/startdreck.zip
EScan-mwav - http://www.mwti.net/antivirus/free_utilities.asp  (free version finds things - pay version also, removes)

Regards!

RF
0
 

Accepted Solution

by:
mgross333 earned 0 total points
ID: 13854111
I am asking the EE Moderator to close this question with no points assigned for the following reason. The Spyware Symptoms on the PC were solved 50% by running Microsoft beta Antispyware in normal mode on the PC after getting the Spyware symptoms to appear AND 50% by following MS beta run with HiJack This log analysis by EE Expert Greyknight17. Although expert richrumble put a lot of time into replying here and I followed his advice, that advice is NOT what solved the problem. Greyknight17 was contacted outside the EE forum (via his email address) and HiJack Log posting and advice was done thru the KRC forum, a private forum created and administered by greyknight17.

The same approach (but preceeded by Add/Remove programs for known Spyware) i.e Add/Remove, then MS beta, then HiJack This log analysis directed by greyknight17, again succeeded in removing 100% of the Spyware symptoms in ANOTHER(DIFFERENT) PC with a bad spyware infection three days ago.

Regarding the effectiveness of the MS beta AntiSpyware SW, in my experience over the last two months with either medium or bad Spyware infections it is the ONLY Spyware removal SW that has removed symptoms in a significant way. With less serious Spyware infections, almost any of the well-known programs (AD-aware, Spybot) will work. The MS beta AntiSpyware SW was effectively chosen by PC World Magazine in last months cover article on Spyware as their top choice for Spyware removal if you combine the statistics in the MS beta sidebar with the rest of the article (which chose CounterSpy). The MS beta Sidebar makes it clear that the underlying SW (Giant SW) and the user interface is the same for CounterSpy and MS beta and that MS beta has even better statistics in removing Spyware that CounterSpy. That is why I say "effectively" MS beta was the top choice. MS beta was not officially included in the competition because it is in Beta, not final release. The statistics were compiled by infecting a PC with about 83 kinds of Spyware in 4 different Spyware categories and seeing which Spyware removal program had the best removal statistics.

The PC World Magazine Spyware article can be read online at www.pcworld.com/reviews/article/0,aid,119572,00.asp  .

All this about Microsoft beta AntiSpyware (installed from www.microsoft.com/downloads/details.aspx?FamilyID=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en  ) is not to minimize the importance of HiJack This Log analysis. The two earlier steps above remove some but not all Spyware symptoms. HiJack This log analysis and followup HiJack This "fixes" and deleting related files and so on seems to be necessary to remove ALL Spyware symtpoms if the infection is serious. At least that is my experience in the last month or two.

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13860442
No objections from me.
-rich
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13860877
Sounds good!
RF
0
 
LVL 2

Expert Comment

by:Newjack64
ID: 13861486
That works for me.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question